DNS Resolver not working

ITDan

Good morning.
I have a customer that we just aquired that is using a PFsense firewall with version 2.3,x of firmware. Their internet went down yesterday and after troubleshooting, we found that the issue was DNS. The DNS resolver service was not running on the firewall and when you try to start it, it fails. However the dns resolver is checked off in "services". The temp fix for me was to manually put in DNS servers for each of the DHCP scopes.

I tried to upgrade the firmware but that failed without much notification as to why. All the diagnostics on the hardware seem to check out from what I can tell.

What information do you guys need from me to help me troubleshoot this issue? I did reboot the device and make a backup of the config already.

Thanks!

Dan

johnpoz

Is it an actual netgate appliance, some DIY box - some china box?

Details of the hardware
What is the error in the log when the resolver tries to start?
What is the error when you try to upgrade?

ITDan

@johnpoz I am not too familiar with the interface so I am looking for the logs now for you.

johnpoz

What is the hardware?

ITDan

@johnpoz It's a Netgate SG-2440

I did find this in the logs, looks like someone is trying to gain access:
Sep 14 09:24:32 sshd 9241 Failed password for root from 187.189.27.112 port 46502 ssh2
Sep 14 09:24:32 sshd 9241 Connection closed by 187.189.27.112 port 46502 [preauth]
Sep 14 09:24:34 sshd 9679 Invalid user ubnt from 186.47.169.189
Sep 14 09:24:34 sshd 9679 input_userauth_request: invalid user ubnt [preauth]
Sep 14 09:24:35 sshd 9679 Failed password for invalid user ubnt from 186.47.169.189 port 55229 ssh2
Sep 14 09:24:35 sshd 9679 Connection closed by 186.47.169.189 port 55229 [preauth]
Sep 14 09:24:38 sshd 10185 Invalid user telecomadmin from 143.255.153.159
Sep 14 09:24:38 sshd 10185 input_userauth_request: invalid user telecomadmin [preauth]
Sep 14 09:24:38 sshd 10185 Failed password for invalid user telecomadmin from 143.255.153.159 port 57483 ssh2
Sep 14 09:24:39 sshd 10185 Connection closed by 143.255.153.159 port 57483 [preauth]
Sep 14 09:24:42 sshd 10599 Failed password for admin from 73.83.56.31 port 52580 ssh2
Sep 14 09:24:42 sshd 10599 Connection closed by 73.83.56.31 port 52580 [preauth]
Sep 14 09:24:46 sshd 11009 Failed password for admin from 41.79.66.112 port 48675 ssh2
Sep 14 09:24:47 sshd 11009 Connection closed by 41.79.66.112 port 48675 [preauth]

ITDan

Sep 14 09:41:06 unbound 77171:0 error: validator: could not apply configuration settings.
Sep 14 09:41:06 unbound 77171:0 error: module init for module validator failed
Sep 14 09:41:06 unbound 77171:0 fatal error: failed to setup modules
Sep 14 09:45:30 unbound 52959:0 notice: init module 0: validator
Sep 14 09:45:30 unbound 52959:0 error: failed to read /root.key
Sep 14 09:45:30 unbound 52959:0 error: error reading auto-trust-anchor-file: /var/unbound/root.key
Sep 14 09:45:30 unbound 52959:0 error: validator: error in trustanchors config
Sep 14 09:45:30 unbound 52959:0 error: validator: could not apply configuration settings.
Sep 14 09:45:30 unbound 52959:0 error: module init for module validator failed
Sep 14 09:45:30 unbound 52959:0 fatal error: failed to setup modules

ITDan

My General log also is flooded with these now:

Sep 14 09:54:29 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such process.
Sep 14 09:54:29 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such process.
Sep 14 09:54:30 dhcpleases Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid)

johnpoz

Well yeah having ssh open to the public is going to fill our logs with noise ;) Lots of bots out there looking insecure ssh.. You could see 1000's of these a day.. This is why you normally don't have ssh open to the public unless you lock it down to your known source Ips, for sure it should be publickey only and prob run some sort of fail2ban to lower the brute force noise in the logs. Changing the port can also lower the log spam..

This is OLD... But same sort of problem it looks like with your roots..
https://forum.netgate.com/topic/78531/unbound-cannot-start-in-2-2-release/2

can't hurt to try this
https://forum.netgate.com/post/510554

ITDan

@johnpoz said in DNS Resolver not working:

This is OLD... But same sort of problem it looks like with your roots..
https://forum.netgate.com/topic/78531/unbound-cannot-start-in-2-2-release/2
can't hurt to try this
https://forum.netgate.com/post/510554

Thank you! I will try this on Monday. We didn't setup this equipment so I am playing catch-up. I love the idea of this open source firewall though, and so far the community seems great!